pledge xenodm

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pledge xenodm

Ricardo Mestre-2
Hi,

Looking at pledging xenodm a little bit more I was able to run it with
the diff below across X restarts, with stock configuration.

Please test it, if you have special configs better since most likely
this will break it but we need to know where and why and with that maybe
trim xenodm's bloat.

DisplayManager:
rpath: open(2) /etc/X11/xenodm/xenodm-config
cpath: unlink(2) d->authFile
proc: kill(2)

Session:
rpath: open(2) /etc/fbtab
wpath/cpath: open(2) d->authFile
fattr: chmod(2) d->authFile
dns: sysctl(2) for name resolution
proc: kill(2)
exec: execve(2) /etc/X11/xenodm/TakeConsole
id: setuid(2)

Index: dm.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 dm.c
--- dm.c 11 Jul 2018 16:57:04 -0000 1.6
+++ dm.c 31 Oct 2018 15:15:49 -0000
@@ -604,6 +604,10 @@ StartDisplay (struct display *d)
  Debug ("pid: %d\n", pid);
  d->pid = pid;
  d->status = running;
+
+ if (pledge("stdio rpath cpath proc", NULL) == -1)
+ exit(OPENFAILED_DISPLAY);
+
  break;
     }
 }
Index: session.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 session.c
--- session.c 11 Jul 2018 20:28:41 -0000 1.12
+++ session.c 31 Oct 2018 15:15:49 -0000
@@ -378,6 +378,10 @@ StartClient (
     default:
  Debug ("StartSession, fork succeeded %d\n", pid);
  *pidp = pid;
+
+ if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) == -1)
+ exit(25);
+
  return 1;
     }
 }

----- End forwarded message -----

Reply | Threaded
Open this post in threaded view
|

Re: pledge xenodm

Ricardo Mestre-2
prodded by deraadt@, here's a rebased diff on xenocara's source root directory,
usually /usr/xenocara.

Index: app/xenodm/xenodm/dm.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 dm.c
--- app/xenodm/xenodm/dm.c 11 Jul 2018 16:57:04 -0000 1.6
+++ app/xenodm/xenodm/dm.c 3 Nov 2018 11:10:06 -0000
@@ -604,6 +604,10 @@ StartDisplay (struct display *d)
  Debug ("pid: %d\n", pid);
  d->pid = pid;
  d->status = running;
+
+ if (pledge("stdio rpath cpath proc", NULL) == -1)
+ exit(OPENFAILED_DISPLAY);
+
  break;
     }
 }
Index: app/xenodm/xenodm/session.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 session.c
--- app/xenodm/xenodm/session.c 11 Jul 2018 20:28:41 -0000 1.12
+++ app/xenodm/xenodm/session.c 3 Nov 2018 11:10:06 -0000
@@ -378,6 +378,10 @@ StartClient (
     default:
  Debug ("StartSession, fork succeeded %d\n", pid);
  *pidp = pid;
+
+ if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) == -1)
+ exit(25);
+
  return 1;
     }
 }

Reply | Threaded
Open this post in threaded view
|

Re: pledge xenodm

Matthieu Herrb-7
In reply to this post by Ricardo Mestre-2
On Fri, Nov 02, 2018 at 07:03:11PM +0000, Ricardo Mestre wrote:
> Hi,
>
> Looking at pledging xenodm a little bit more I was able to run it with
> the diff below across X restarts, with stock configuration.
>
> Please test it, if you have special configs better since most likely
> this will break it but we need to know where and why and with that maybe
> trim xenodm's bloat.

Hi,

xenodm crashes if one logs out from the first session that was
created.  the pldege() call in StartDisplay is too strict.

I've not had time to fully figure out if this can be fixed. Iirc I
tried when I did the initial work on adding pledge to xenodm and it's
not possible because of the code that creates the auth cookie and
chown()s it to _x11.

I didn't have time yet to do a more serious testing of the session
pledge.

>
> DisplayManager:
> rpath: open(2) /etc/X11/xenodm/xenodm-config
> cpath: unlink(2) d->authFile
> proc: kill(2)
>
> Session:
> rpath: open(2) /etc/fbtab
> wpath/cpath: open(2) d->authFile
> fattr: chmod(2) d->authFile
> dns: sysctl(2) for name resolution
> proc: kill(2)
> exec: execve(2) /etc/X11/xenodm/TakeConsole
> id: setuid(2)
>
> Index: dm.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
> retrieving revision 1.6
> diff -u -p -u -r1.6 dm.c
> --- dm.c 11 Jul 2018 16:57:04 -0000 1.6
> +++ dm.c 31 Oct 2018 15:15:49 -0000
> @@ -604,6 +604,10 @@ StartDisplay (struct display *d)
>   Debug ("pid: %d\n", pid);
>   d->pid = pid;
>   d->status = running;
> +
> + if (pledge("stdio rpath cpath proc", NULL) == -1)
> + exit(OPENFAILED_DISPLAY);
> +
>   break;
>      }
>  }
> Index: session.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
> retrieving revision 1.12
> diff -u -p -u -r1.12 session.c
> --- session.c 11 Jul 2018 20:28:41 -0000 1.12
> +++ session.c 31 Oct 2018 15:15:49 -0000
> @@ -378,6 +378,10 @@ StartClient (
>      default:
>   Debug ("StartSession, fork succeeded %d\n", pid);
>   *pidp = pid;
> +
> + if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) == -1)
> + exit(25);
> +
>   return 1;
>      }
>  }
>
> ----- End forwarded message -----

--
Matthieu Herrb

Reply | Threaded
Open this post in threaded view
|

Re: pledge xenodm

Ricardo Mestre-2
this is actually good, I made it as minimal as possible so that it
wouldn't break for me, if it breaks for you we can start from there.

On 13:41 Sat 03 Nov     , Matthieu Herrb wrote:

> On Fri, Nov 02, 2018 at 07:03:11PM +0000, Ricardo Mestre wrote:
> > Hi,
> >
> > Looking at pledging xenodm a little bit more I was able to run it with
> > the diff below across X restarts, with stock configuration.
> >
> > Please test it, if you have special configs better since most likely
> > this will break it but we need to know where and why and with that maybe
> > trim xenodm's bloat.
>
> Hi,
>
> xenodm crashes if one logs out from the first session that was
> created.  the pldege() call in StartDisplay is too strict.
>
> I've not had time to fully figure out if this can be fixed. Iirc I
> tried when I did the initial work on adding pledge to xenodm and it's
> not possible because of the code that creates the auth cookie and
> chown()s it to _x11.
>
> I didn't have time yet to do a more serious testing of the session
> pledge.
>
> >
> > DisplayManager:
> > rpath: open(2) /etc/X11/xenodm/xenodm-config
> > cpath: unlink(2) d->authFile
> > proc: kill(2)
> >
> > Session:
> > rpath: open(2) /etc/fbtab
> > wpath/cpath: open(2) d->authFile
> > fattr: chmod(2) d->authFile
> > dns: sysctl(2) for name resolution
> > proc: kill(2)
> > exec: execve(2) /etc/X11/xenodm/TakeConsole
> > id: setuid(2)
> >
> > Index: dm.c
> > ===================================================================
> > RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
> > retrieving revision 1.6
> > diff -u -p -u -r1.6 dm.c
> > --- dm.c 11 Jul 2018 16:57:04 -0000 1.6
> > +++ dm.c 31 Oct 2018 15:15:49 -0000
> > @@ -604,6 +604,10 @@ StartDisplay (struct display *d)
> >   Debug ("pid: %d\n", pid);
> >   d->pid = pid;
> >   d->status = running;
> > +
> > + if (pledge("stdio rpath cpath proc", NULL) == -1)
> > + exit(OPENFAILED_DISPLAY);
> > +
> >   break;
> >      }
> >  }
> > Index: session.c
> > ===================================================================
> > RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
> > retrieving revision 1.12
> > diff -u -p -u -r1.12 session.c
> > --- session.c 11 Jul 2018 20:28:41 -0000 1.12
> > +++ session.c 31 Oct 2018 15:15:49 -0000
> > @@ -378,6 +378,10 @@ StartClient (
> >      default:
> >   Debug ("StartSession, fork succeeded %d\n", pid);
> >   *pidp = pid;
> > +
> > + if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) == -1)
> > + exit(25);
> > +
> >   return 1;
> >      }
> >  }
> >
> > ----- End forwarded message -----
>
> --
> Matthieu Herrb
>

Reply | Threaded
Open this post in threaded view
|

Re: pledge xenodm

trondd-2
In reply to this post by Ricardo Mestre-2
On Sat, November 3, 2018 7:16 am, Ricardo Mestre wrote:
> prodded by deraadt@, here's a rebased diff on xenocara's source root
directory,
> usually /usr/xenocara.

I'm using DisplayManager*autoLogin in xenodm-config and starting xenodm as
desired (not at boot) and it logs me in the first time but after ending
the X session, when xenodm tries to reset it gets a:

xenodm[63122]: pledge "getpw", syscall 33


Turns out, though, this is kind of a bogus use case.  I'm trying to exit
X.  Having it log me right back in again is silly.  I like that it kills
xenodm.  That's actually what I want. :D

Tim.